Bargain hunters beware: Trojan attacks instead of bargains

Supposed clearance sales at MOOO.COM can turn out expensive

07/30/2009 | Bochum

A supposed clearance sale at the MOOO.COM website is currently being widely promoted in a huge spam campaign. Due to "today's somewhat difficult economic situation" the MOOO.COM website is closing up shop. And discounts of up to 95 % are possible.

Recipients of the bargain-buy email with the subject "CLEARANCE SALE" need only click on a link in the email to browse through the "personalised product information".

Even the most die-hard bargain hunters must at all costs resist the urge to do so, as otherwise a particular unpleasant retaliation threatens. The link to the bargain hunting opportunity points to a file called ausverkauf.exe, which contains a version of the Trojan horse Buzus. Trojan horses from the Buzus family scan the infected systems of their victims for personal data (credit cards, online banking, email and FTP accesses), which are then transferred to the attacker. Not only that, the malware attempts to lower the computer's security settings so that the victim's computer can be more easily attacked.

Lastly, the MOOO.COM website has nothing to do with a shopping portal, rather it is a free DNS service, via which sub-domains of the MOOO.COM domain are setup so that they can point to any selected targets.

Ralf Benzmüller, manager of G Data Security Labs, warns: "Time and again we see how cyber criminals abuse popular, free-to-access Internet services for their own nefarious schemes. Up until now, transfer scripts have been used to forward users to particular sites, in the way that they are used on any large domain. Use of a DNS service to transfer victims in this way is an alternative which had not been exploited up until now."

Once again one of the key concepts of the criminal malware makers is demonstrated, namely the complementing of underlying technical attacks by targeted approaches to potential victims, so-called social engineering. In this case, the exceptionally high discount offered to the recipients of the bait-mail encourages them to click on the link in the email and in so doing, to infect their systems.

(Not only) bargain hunters should treat unrequested emails sceptically; do no accept downloads which pop up as a result of links in emails, and use a virus scanner with an http filter. This blocks harmful web content, before it reaches the Internet browser and protects against unpleasant consequences.